SAML Issuer Backend

Since LemonLDAP::NG 1.0rc2

Presentation

Configuration

SAML Service

See SAML service configuration chapter.

IssuerDB



In General Parameters > Modules > Issuer module, select SAML v2.

You can add an Issuer rule that will be checked to allow a user to use Issuer module. This can be helpful to prevent some users to use the SAML module. Set in in General Parameters > Advanced Parameters > Security > Issuer Activation Rule.

For example, allow only users from "SAML" group:

$groups =~ /SAML/

Register LemonLDAP::NG on partner Service Provider



After configuring SAML Service, you can export metadata to your partner Service Provider. They are available at the EntityID URL, by default: http://auth.example.com/saml/metadata.

Register partner Service Provider on LemonLDAP::NG



In the Manager, select node Servce Providers and click on New metadatas:

manager-saml-sp-new.png

The SP name is asked, enter it and click OK.

Now you have access to the SP parameters list.
Metadata


You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata URL (this require a network link between your server and the SP).

You can also copy/paste the metadata: just click on the Edit button. When the text is pasted, click on the Apply button to keep the value.
Exported attributes


For each attribute, you can set:
Options
Authentication response
Signature


These options override service signature options (see SAML service configuration).
Security